JS: Add meta query for reporting threat model sources

Author: asgerf

javascript/ql/src/meta/alerts/TaintSources.ql

@@ -11,6 +11,6 @@
 import javascript
 import meta.internal.TaintMetrics
 
-from DataFlow::Node node
-where node = relevantTaintSource()
+from ThreatModelSource node
+where node = relevantTaintSource() and node.getThreatModel() = "remote"
 select node, getTaintSourceName(node)

javascript/ql/src/meta/alerts/ThreatModelSources.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Threat model sources
+ * @description Sources of possibly untrusted input that can be configured via threat models.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/threat-model-sources
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+from ThreatModelSource node, string threatModel
+where
+  node = relevantTaintSource() and
+  threatModel = node.getThreatModel() and
+  threatModel != "remote" // "remote" is reported by TaintSources.ql
+select node, getTaintSourceName(node) + " (\"" + threatModel + "\" threat model)"

javascript/ql/src/meta/internal/TaintMetrics.qll

@@ -75,9 +75,9 @@ DataFlow::Node relevantTaintSink(string kind) {
 DataFlow::Node relevantTaintSink() { result = relevantTaintSink(_) }
 
 /**
- * Gets a relevant remote flow source.
+ * Gets a relevant threat model source.
  */
-RemoteFlowSource relevantTaintSource() { not result.getFile() instanceof IgnoredFile }
+ThreatModelSource relevantTaintSource() { not result.getFile() instanceof IgnoredFile }
 
 /**
  * Gets the output of a call that shows intent to sanitize a value
@@ -102,8 +102,8 @@ DataFlow::Node relevantSanitizerInput() {
 }
 
 string getTaintSourceName(DataFlow::Node node) {
-  result = node.(RemoteFlowSource).getSourceType()
+  result = node.(ThreatModelSource).getSourceType()
   or
-  not node instanceof RemoteFlowSource and
+  not node instanceof ThreatModelSource and
   result = "Taint source"
 }